[Servercert-wg] List of Websites Relying on TLS 1.0 / 1.1

Doug Beattie doug.beattie at globalsign.com
Mon Aug 12 05:29:26 MST 2019


Hi Wayne,



It would be helpful if you included the Serial number of the certificate you 
found.  Do you think you could add that so we can track back to the specific 
certificate request that is securing the site?


Doug







From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Wayne 
Thayer via Servercert-wg
Sent: Friday, August 9, 2019 2:52 PM
To: CA/B Forum Server Certificate WG Public Discussion List 
<servercert-wg at cabforum.org>
Subject: Re: [Servercert-wg] List of Websites Relying on TLS 1.0 / 1.1



Here is a current list of websites that don't support TLS 1.2 or higher: 
https://docs.google.com/spreadsheets/d/1Sx94fDTTo9MhXXorQJXizk2J6rs-Vc65cptaQqMjGwQ/edit?usp=sharing



(also here in CSV format: 
https://bugzilla.mozilla.org/attachment.cgi?id=9083874)



It includes the issuing CA and serial number, so should be easy for each CA to 
filter.



Thank you to everyone who has or is planning to reach out to your customers 
that are on the list.



- Wayne



On Mon, Jul 1, 2019 at 8:54 AM Wayne Thayer <wthayer at mozilla.com 
<mailto:wthayer at mozilla.com> > wrote:

Last year, Mozilla [1], Google [2], Microsoft [3], and Apple [4] all announced 
that our browsers will stop supporting TLS 1.0 and 1.1 in March 2020. During 
the Mozilla browser update at the last two F2F meetings, I have asked CAs to 
help get the word out to their customers about this change. CAs have direct 
relationships with the organizations that operate affected websites, and this 
provides a great opportunity for CAs to engage with their customers and help 
to improve web security.



At the last meeting, I was asked if Mozilla could facilitate this outreach by 
providing a list of websites that do not support TLS 1.2 or higher grouped by 
the CA that issued the website's TLS certificate. This information - for 
websites on the Tranco top 1 million list [5] - is located at:



https://docs.google.com/spreadsheets/d/1iSEEfc5AuYwT5elAEvkZdLSbwBeJ_SR-0El6s08zNs8/edit#gid=2044764669



Please be aware that this information was collected 1-2 months ago, so I 
recommend that you confirm that the site is still on the following list of 
affected site, which is updated weekly:



http://tlscanary-plot-8e95d89854d73f4d.elb.us-west-2.amazonaws.com/tlsdeprecation-carnage.txt



Please let me know if you have any questions, and thanks in advance for 
everyone's help with this!



- Wayne



[1] https://blog.mozilla.org/security/2018/10/15/removing-old-versions-of-tls/

[2] 
https://security.googleblog.com/2018/10/modernizing-transport-security.html

[3] https://blogs.windows.com/msedgedev/2018/10/15/modernizing-tls-edge-ie11/

[4] 
https://webkit.org/blog/8462/deprecation-of-legacy-tls-1-0-and-1-1-versions/

[5] https://tranco-list.eu/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20190812/9ef1a53e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5701 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20190812/9ef1a53e/attachment.p7s>


More information about the Servercert-wg mailing list